Re: [Full-disclosure] ms12-020 PoC

P.S. Before someone starts accusing me of "spamming" for the book, (one asshat tried to compare me to Juan whats-his-face once) note you can actually view most of the RDP chapter (and others) on the Amazon "preview a page" feature if you would like.

If you are interested in RDP security, I suggest you take a free read on Amazon. Many are worried about worm activity from 020, and I am far more interested in pointing you to free material that helps you secure yourself and others than I am trying to make a buck on the book.

If anyone has any questions about how any of this works, I'm happy to help if I can.

You establish a connection to TSGateway via RPC over HTTP in an SSL tunnel.
Once you are authenticated and authorized, the TSGateway server will
establish a connection via RDP to the target server, tunneling the RDP
connection back to you within the RPC/HTTP(S) channel.

As such, TSGateway is obviously unaffected by this vulnerability. For those of
you looking for mitigation and not kiddie code to pop a box, note that simply
using NLA mitigates both RDP issues.

This might be a good time to point out than anyone who followed any of my
advice in the RDP chapter of Thor's Microsoft Security Bible, or who is using
the little ThoRDP tool I wrote (also in the book) was protected from these
vulnerabilities way before they were discovered. I say that to simply identify
that some simple, effective techniques can be deployed that thwarts the
hours and hours people put into developing exploit code and the wasted time
chasing all this stuff down. *THAT* is what security is about, btw.